U.S. Army Developing Mighty Morphing Network

MORPHINATOR prototype will be designed to discombobulate cyber attackers.

The U.S. Army’s Communications-Electronics Research, Development and Engineering Center (CERDEC) is building a prototype network capable of morphing over time to confuse cyber intruders and thwart attacks on military networks. The Morphing Network Assets to Restrict Adversarial Reconnaissance (MORPHINATOR) prototype is scheduled to be available in the 2014 fiscal year and will be capable of pulling a cyber bait-and-switch on unsuspecting network intruders.

MORPHINATOR uses a concept known as cybermaneuver, which modifies aspects and configurations of networks, hosts and applications in a way that is undetectable and unpredictable for an adversary but still manageable for network administrators. “We’re looking to dynamically modify and shape our networks to prevent, delay or deter cyber attack,” says Jonathan Santos, chief of the Information Security Branch for CERDEC's Space and Terrestrial Communications Directorate. “If an attacker comes in, they conduct reconnaissance, they learn the network layout and everything they can about the systems and users. They go away and develop their exploits, and by the time they come back, things have changed on the network to such an extent that those exploits they’ve crafted are no longer useful.”

The initial prototype will focus on Internet protocol (IP) address hopping and application port hopping. With IP hopping, the IP address previously assigned to a Windows computer may later be assigned to a Linux machine and vice versa so that the exploits designed for a specific computer become unusable, Santos explains. Application port hopping is a similar concept. “All applications on a computer use a port to help with the actual transmission of data. Those port numbers allow the computer to be fingerprinted so that the attacker can figure out what applications are most likely to be used on a machine. If we can stop that ability to fingerprint, then we can restrict the attackers from being able to exploit the computer,” Santos adds.

CERDEC recently awarded a $3.1 million contract to Raytheon Company, Marlborough, Massachusetts, to develop MORPHINATOR. “The intent of cybermaneuver is to place computer network defense technology into a proactive state, thereby shifting the advantage away from the attacker,” Jack Donnelly, director of Trusted Network Systems for Raytheon's Network Centric Systems business, said in a July 16 press release. “By constantly changing the characteristics of the networks it resides on, MORPHINATOR provides a more robust and trusted networking solution.”

The initial two-year prototype effort also will include studies on how far down the tactical network cybermaneuver technology can be deployed and what impact it might have on network administrators and military operations. “It’s already difficult to manage networks now, so how do we do that if things are moving around? And how do we understand the impact to the warfighters and the warfighters’ networks and the warfighters’ mission? We don’t want to do things from a security perspective that will negatively impact or risk anything that the warfighters are doing,” Santos states.

Current plans call for a follow-on program to the initial prototyping effort. The follow-on will further mature the initial technologies and explore which other parts of a network might be morphed.

The system is designed to be used in conjunction with other existing security devices to provide an active defense approach to information assurance. Illustrating the CERDEC team’s knack for creatively naming programs, MORPHINATOR is closely aligned with the Defensive Enhancements for Information Assurance Network Technologies (DEFIANT) and the Cyber Unification, Security Hardening and Protection of Operational Frameworks (CRUSHPROOF) programs. DEFIANT is a research and development effort to create smart agent-based technologies to detect and protect tactical systems from zero-day attacks. Integrating DEFIANT with MORPHINATOR will provide better situational awareness of how well attacks are working and whether network morphing efforts need to be intensified.

CRUSHPROOF, on the other hand, provides services and communications between disparate computer network defense technologies, including MORPHINATOR and DEFIANT, in order to provide a near real-time cybersecurity situational awareness of the network. “To bridge those programs together, we have the CRUSHPROOF program, which is trying to take disparate computer network defense technologies and putting together a framework for those technologies to talk over, to make certain messaging or services or capabilities are common across those components so that they can better share information in real time and provide a much more increased cyber situational awareness picture of the network,” Santos says.

A DEFIANT prototype is scheduled to be available in fiscal year 2013 with CRUSHPROOF the following year.